Post on 14-Apr-2018
7/30/2019 Sarbanes Oxley It Co
1/12
serena.com
The ImpacT
OF SarbaneS-OxleyOn IT and corporate governance
August 2006
7/30/2019 Sarbanes Oxley It Co
2/12
serena.com
Table OF cOnTenTS
Abstract ........................................................................................................................................................................................ 3
The Impact o Sarbanes-Oxley on IT and Corporate Governance ........................................... 4The rOle OF IT In SarbaneS-Oxley ......................................................................................................................................... 4
enTerprISe-WIde cOmplIanceSTOp The InSanITy ......................................................................................................... 5
enSurIng ITS hOuSe IS In Order .............................................................................................................................................. 5
Payroll ReconciliationMonths or Seconds?....................................................................................... 6
Compliance with Section 302 .................................................................................................................................. 8SpecIFIc cerTIFIcaTIOn FuncTIOnalITy .................................................................................................................................. 8
The Proo.................................................................................................................................................................................... 10
Summary ................................................................................................................................................................................... 11
Sarbanes-Oxley and Serena Products ............................................................................................................. 11
7/30/2019 Sarbanes Oxley It Co
3/12
serena.com
Abstract
The intent o the Sarbanes-Oxley Act o 2002 is to protect investors by improving the accuracy and reliability
o corporate disclosures. The Sarbanes-Oxley Act created new standards or corporate accountability, as
well as new penalties or acts o wrongdoing. It changes how corporate boards and executives must interact
with each other and with corporate auditors. Holding the CEO and CFO accountable or the accuracy o
nancial statements eliminates the possibility o an individual deending his action with, I wasnt aware
o nancial issues.
SImple InTenT. Far-reachIng ImpacT.
All public U.S. and international companies that have registered equity or debt securities with the Securities
and Exchange Commission need to comply. The key components o Sarbanes-Oxley are ormalizing and
strengthening internal checks and balances within corporations and instituting levels o control and sign-o
to ensure that nancial reporting exercises ull disclosure and corporate governance is transacted with ull
transparency. This rests on the ability to document, trace and audit any change that a ects the nancial
reporting structure.
7/30/2019 Sarbanes Oxley It Co
4/12
serena.com
The Impact o Sarbanes-Oxley on IT and Corporate Governance
Practically speaking, beore the Sarbanes-Oxley Act, the stance regarding controls was all too oten, i
nothing goes wrong, it is assumed that the controls are working. Not only has that bar been raised, but it is
now also under a microscope. I the control activity is not identied, documented and validated, the control
is not considered eective even i it happens in practice. Controls must now be supported by evidence to
demonstrate that they are in place and working eectively.
Although there is more than enough general inormation available on the Act; this paper specically ocuses
on how the Sarbanes-Oxley Act impacts the IT Department. IT and corporate governance ensure a transpar-
ent, compliant, and accountable inormation inrastructure throughout the enterprise. Mistakes are costly.
Without the oundation o technology, compliance with Sarbanes-Oxley can easily become a prot leech
that is likely to switly and dramatically impact a companys success.
rOle OF IT In SarbaneS-Oxley
The role o IT is twoold. First, provide support or enterprise-wide compliance. These process controls provide
checks and balances or the unctional organizations, such as Finance, Order Processing, and so orth. For
example, a standard process or managing an order rom initiation through collection o payment must exist
and be ollowed with appropriate approvals. Second, ensure that IT itsel has adequate and documented
controls around security, application deployment, change management and other areas. Thus, changes to
an internal SAP system must be tested and signed o by the appropriate parties beore being approved or
implementation.
All companies have various levels o IT control, but the processes are oten inormal, or they lack adequate
documentation and evidence. Frequently, the deciency lies in the consistency and quality
o the documentation and evidential matter.
Anyone who knowingly alters, alsies, destroys, or otherwise tampers with a document
or record can be ned and/or imprisoned or up to 20 years. Ss-O at o 00
7/30/2019 Sarbanes Oxley It Co
5/12
serena.com
enTerprISe-WIde cOmplIanceSTOp The InSanITy
At any given time, IT juggles hundreds o projects and change requests rom business users throughout
the organization. Since any application that impacts the balance sheet must comply with Sarbanes-Oxley,
IT must manage and track each and every change request. Managing this via e-mail, spreadsheets and
sticky notes, or relying on nonintegrated systems is time-consuming, costly and most o all, risky. Imagine
tracking 700 change requests across multiple locations and several hundred users. As one Serena customer
discovered, it wasnt very ecient or productive. Yet this customer was not unlike most mid-size to large
companies. To gain control, the company implemented Serena TeamTrack enterprise-wide. TeamTrack
is a web-architected, secure and highly congurable process and issue management system. Now, every
department submits change requests to IT and participates in the sign-o process, increasing productivity
as well as providing complete, secure documentation and evidential matter in compliance with Sarbanes-
Oxley requirements.
enSurIng ITS hOuSe IS In Order
Any change that can aect nancial data must be reported under Sarbanes-Oxley. I a deect in the ERP
system means past nancial data was not correct, the company may need to restate earnings. This means
change management must be much more careully documented and monitored than in the past.
Application liecycle solutions provide control over IT processes to make them certiable and auditable.
Eective and enorced processes ensure that a companys mission-critical sotware applications are not
exposed to potential ailure due to oversight, error and other various risks. Moreover, a good solution oers
an eective way o controlling IT processes around and beyond sotware development, providing the ability
to capture, track, version and report on changes to any process or system in an IT setting.
The objective o Sarbanes-Oxley is to govern companies internal controls over nancial reporting to ensure
accuracy. For years, nancial management has been using spreadsheets to manage many processes. Some
o these spreadsheets are quite complex in nature, with complicated ormulas, layers o linked spreadsheets,
data imports rom other applications and multiple people entering and pulling data. Because spreadsheets
do not provide the process controls, audit trail, versioning or reporting required to submit adequate evi-
dence, they are no longer an eective means o managing nancial data by themselves. Subsequently,
many companies have tried to implement or recongure their existing high-overhead, complex ERP system.
Because these systems are dicult to congure, use and maintain, management quickly discovers how
inordinately time-consuming these systems can be.
7/30/2019 Sarbanes Oxley It Co
6/12
payrOll recOncIlIaTIOnmOnThS Or SecOndS?
Each pay period the Payroll Clerk at a mid-sized manuacturing company must review and reconcile budgeted
payroll against actual payroll. I there is a dierence over 2.5%, the Payroll Clerk must raise an issue and
document the reason. A dierence o 5% or more must go to the Department Manager or explanation
(a one-time bonus, etc). This data must then go to the Financial Director, who reviews the data and approves
it or raises urther issues or resolution by the Payroll Clerk. The process continues until all issues are resolved
and approved by the Financial Director.
Providing evidence o this one internal control can take months to implement in most ERP systems, and i
the process or people change, it may require consulting services to recongure the system appropriately.
Unortunately, the law isnt so patient.
TeamTrack, Serenas process and issue management solution provides the process wrapper around the inter-
nal control processesdriving the right inormation to the right people at the right time. Sel-documenting
and secure audit trails, and version control o spreadsheets and other Microsot Oce les (when combined
with Serena ChangeMan Meritage) automatically provide the evidence required by Sarbanes-Oxley.
Without the nancial or the system overhead.
Serena TeamTrack manages this internal control eortlessly. An automated script creates an issue in
TeamTrack and the Payroll Clerk is notied when it is time to reconcile payroll. Whether payroll reconciliation
is tracked in a spreadsheet, in TeamTrack or another system, the le is simply attached to the issue (this does
not apply i its already in TeamTrack) and Sent or Approval. This noties the Financial Director, who
reviews the attached or inherent data, and either Approves or Rejects it with detailed notes. The complete
and secure audit trail is sel-documenting, and the evidence is provided to ulll the requirements o
Sarbanes-Oxley.
serena.com
7/30/2019 Sarbanes Oxley It Co
7/12
serena.com
Some other examples o fnancial internal control processes (also easily managed by TeamTrack) include:
General Ledger entry, reconciliation and approval
Procurement to Payables including purchase request, approvals, budget reconciliation and payment
Customer Orders to Cash including discount approvals, legal and nancial management approvals,
customer signatures, credit approvals and accounts receivable validation
There are no two organizations alike, thus there are no one-size-ts-all solutions. All solutions require
adaptability and congurability to meet the needs o individual organizations and their specic processes.
The dierence is in how easy the solution is to congure, modiy, maintain, and employ by non-technical users.
Across platorms, TeamTrack creates enorceable and congurable workfows or any IT process and docu-
ments every change and/or action made by every person involved in a given process, providing evidence
about what has been done, by whom and when. Easily modeled and ne-tuned, a clear view is provided everystep o the way and assurance that processes cannot be subverted is in place.
TeamTrack governs the access to systems and inormation including:
Dashboard view o compliance status in all areas
Functional department view o compliance status and open issues
Control o changes to the production environment
Approval o the change request by all pertinent stakeholders throughout the change
request liecycle
Detailed, secure audit trail throughout the change request liecycle
Managed process o the change itsel
Integration with existing tools in the environment
7/30/2019 Sarbanes Oxley It Co
8/12
serena.com
SarbaneS-Oxley and SecTIOn 0
TeamTrack also automates the process o the quarterly representation letter certication process or
compliance with Section 302 o the Sarbanes-Oxley Act. This process tracks the certication o relevant
employees to make sure they have ully submitted and disclosed all revenue activities, and that no urther
revenue activities are pending. Fully congurable to match the organizational structure o any company,
individual employees rst provide certication or their areas o jurisdiction. Upon their approvals, thesecertications are rolled up into summary certications or business unit executives to provide their attesta-
tion. Once approved, a nal request is presented to corporate management or nal review and certication.
Very simply, each step o the process is tracked, employees are automatically notied as to their specic
tasks, and the executives have a ull view o compliance status.
Providing mechanisms or intelligent task management and routing among project team members, TeamTrack
provides workfows or each internal control document type to intelligently route tasks based on status or other
data associated with internal controls. Assigned tasks are indicated on each users Home Page. Task details provide
each user with links to work that must be perormed and actions they must take to complete their tasks.
Real-time dashboards provide executives and managers with congurable, up-to-the-minute status,alerts and drill-down capabilities that enable issues to be identied and corrected quickly and easily.
Specifc certifcation unctionality includes:
Full congurability o any orm
Full change control, audit trails and monitoring
Version control over each respondent state/instance o every issue
Automated workfow-driven processing rom assessor to certier to survey administration
to managerial oversight via monitorable, email notications
A highly fexible workfow, where certication processes may be executed or any object level,
including entity-specic, process-specic and/or control-specic views. Full certication and sub-certication support including standard templates to help ensure
the rapid deployment and consistent support o executive reporting obligations
With Proessional, we now have visibility and reportability into the projects. Sotware is a
really valuable resource its part o the companys assets. We need to know where theprojects are at any time and be able to obtain statistics about our productivity and then be
able to communicate this. Using Proessional is the perect tool or this. bi li, Sotwr&d m, aSm pif Too
7/30/2019 Sarbanes Oxley It Co
9/12
serena.com
The time and eort o establishing rigorous, repeatable processes reaps many rewards including:
An enterprise-wide process or managing change
A single point o control or all changes, across other tools and platorms
Reduced risks o compliance issues and audit ailures
Greater compliance with processes and procedures
Greater scalability to support business expansion
Within the IT department, TeamTrack provides the process wrapper to ensure that there are repeatable,
enorceable, auditable processes around managing projects and managing the entire application
development liecycle.
At a minimum, the ollowing inormation is captured: date o the change request, person(s) requesting the change,
documentation update date, and move-date into production. The attached documents include: change verication,
baseline update and change control workfow.
Change Request
Completed in
TeamTrack
Forwarded to
Supervising
Manager
Forward to IT
for Approval
Forward to IT
Business Owner
for Approval
Implement
Change
Add Release
Notes
Upload
Verification
Close
Record
Change
Approved?
Change
Approved?
Change
Approved?
Yes Yes
Yes
No
No
No
change cOnTrOl WOrkFlOW
7/30/2019 Sarbanes Oxley It Co
10/12
serena.com10
The prOOF
At Robert Mondavi, Serena TeamTrack was key in achieving government regulatory compliance. The company
had a critical audit trail covering the complete project liecycle and providing proo o internal customer approv-
als. Robert Mondavi ound itsel well prepared to achieve Sarbanes-Oxley compliance when it came to provid-
ing an audit trail o development activities. Each member o the team can easily create reports in TeamTrack
to show audit trails, so they can routinely spot-check processes to maintain Sarbanes-Oxley compliance.
As another example, a large national bank ound that TeamTrack helped them keep their own house in order
to support Sarbanes-Oxley compliance. By automating their development processes and meeting their Service
Level Agreements consistently, they created a more stable production environment, dramatically improved
their rate o change success rate, consumed less time resolving production issues, and had more IT projects
completed with the same number o resources. The bank has better metrics relating to production issues,
environment and change management. The IT Director said, I took an organization rom a stage 2 maturity
level to a stage 4.5 maturity level with TeamTrack, with minimal investment in 14 weeks, ully supporting
our Sarbanes-Oxley compliance initiatives.
Enorcable controls
Ensure that all unctional departments document, use, enorce and automatically provide evidence
o their process controls and control changes to the production environment.
Accountability
No step is orgotten. That way youll know exactly who did what and when.
Flexibility
Modiy your control processes on-the-fy, and automate the mechanisms or continual review.
Compliance is an ongoing, dynamic process. Once the initial work o Sarbanes-Oxley compliance is completed,
organizations must ocus on moving to an optimized level o internal control that improves the eciency
o the entire process.
7/30/2019 Sarbanes Oxley It Co
11/12
serena.com11
Summary
Non-compliance penalties range rom the loss o exchange listing, loss o corporate insurance to multimillion
dollar nes and imprisonment. It can result in a lack o investor condence. A CEO or CFO who submits a
wrong certication is subject to a ne up to $1 million and imprisonment or up to ten years. I the wrong
certication was submitted willully, the ne can be increased up to $5 million and the prison term can be
increased up to twenty years.
Clearly, ailure to comply with these regulations will result in orced public disclosures, which may lower
shareholder condence and tarnish the companys brand. Compliance is not only a matter o the law,
ut critical to the protection o the companys brand and value in the marketplace.
Mistakes are costly. Without the oundation o a simple, yet fexible solution such as TeamTrack, compliance
with Sarbanes-Oxley can easily become a prot leech that is likely to switly and dramatically impact
a companys success.
SarbaneS-Oxley and Serena prOducTS
For more inormation on how the ollowing products support Sarbanes-Oxley, visit www.serena.com
or contact your account representative.
TeamTrack Enterprise Process ManagementThe process wrapper around the internal controls and
change requests
TeamTrack Connector or SAPPre-dened process or managing changes to the SAP environment
CollageAudit trail and process enorcement or Web content requests and changes
DimensionsRobust application liecycle management or distributed and mainrame environments
ChangeMan ZMFApplication development version control or the mainrame
ChangeMan MeritageVersion management or Microsot Oce les
ChangeMan Version ManagerApplication development version management
7/30/2019 Sarbanes Oxley It Co
12/12
serena.com
S Wowi hqts
Serena Sotware, Inc.
Corporate Ofces
2755 Campus Drive
Third Floor
San Mateo, Caliornia 94403-2538
United States
800.457.3736 T
650.522.6699 F
ino@serena.com
S eo hqts
Serena Sotware Europe Ltd.
Hertordshire
Abbey View Everard Close
St. Albans
Hertordshire AL1 2PS
United Kingdom
+44 (0)800.328.0243 T
+44 (0)1727.869.804 F
ukino@serena.com
S asi pif hqts
Serena Sotware Pte Ltd
360 Orchard Road
#12-10
International Building
Singapore 238869
+65 6834.9880 T
+65 6836.3119 F
apino@serena.com
abOuT Serena
Serena Sotware, the Change Governance leader, helps more than 15,000 organizations around the world
including 96 o the Fortune 100 and 90 o the Global 100turn change into a business advantage. Serena
is headquartered in San Mateo, Caliornia, and has oces throughout the U.S., Europe, and Asia Pacic.
cOnTacT
Learn more about the enterprise-wide power o Serena products by visiting www.serena.com or contacting
one o our sales representatives in your area.
Copyright 2006 Serena Software, Inc. All rights reserved. Serena, TeamTrack, ChangeMan, PVCS, StarTool, Collage and Comparex are registered trademarks o Serena Sotware.
Change Governance, Command Center, Dimensions, Mover and Composer are trademarks o Serena Sotware, Inc. All other product or company names are used or identication
purposes only, and may be trademarks o their respective owners. WP885_01_0205_08.06